Hi List,
Question, we have joined machine into AD domain B. This domain has one way trust to domain A. No direct connection from domain B network to DCs in domain A is possible.
Can we use SSSD to authenticate members in domain A.
In windows, this works - but can't get it working in Linux via SSSD (Fedora 25, used realmd for AD join).
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

Hi,
I have that error message that I do not understand, because I have 2 ubuntu
servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04). Ubuntu
14 is working fine, I can authenticate and sudo just fine, Ubuntu 16 can
list users and groups but I cannot authenticate nor sudo. And I see in the
sssd_domain.log :
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000):
Status of server '<servername>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
Port status of port 389 for server '<servername>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000):
Status of server '<servername2>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
Port status of port 389 for server '<servername2>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [be_resolve_server_done]
(0x1000): Server resolution failed: 5
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Of course, port 389 is indeed reachable, and I have joined and re-joined
the domain several times, deleted the object computer in AD, checked
several times that the keytab was created, and that I could kinit with it...
One thing is that I join a child AD domain and tries to login with an
account from the main domain, that is probably an issue, but as that work
on the other Ubuntu with the same setup, I am stuck...
Thanks,
Jeremy

Hi,
I am trying to setup an authentication against Active Directory, with
multiple domains, and I haven't been able to find the recommended way to do
it (it is very possible I missed it...), so I am looking for explanation
and advice.
With a master domain example.com, and subdomains sub1.example.com,
sub2.example.com, etc, how would you setup sssd (and the linux system) to
authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests (
my_user(a)example.com), and I want to authenticate on all the servers,
smtp.example.com or proxy.sub1.example.com, etc. I also want on some
computer to authenticate customer's account (my_customer(a)sub1.example.com).
For now, I have 2 different setups :
- on computers from example.com
[sssd]
config_file_version = 2
debug_level =0
domains = example.com
services = nss, pam
[domain/example.com]
enumerate = true
dns_discovery_domain = cy2._sites.example.com
debug_level = 8
id_provider = ad
access_provider = ad
ldap_id_mapping = false
#dyndns_update = false
- on computer from sub1.example.com
[sssd]
config_file_version = 2
debug_level =0
domains = sub1.example.com,example.com
services = nss, pam
[domain/example.com]
enumerate = true
dns_discovery_domain = cy2._sites.example.com
debug_level = 9
id_provider = ad
access_provider = ad
ldap_id_mapping = false
[domain/sub1.example.com]
enumerate = true
dns_discovery_domain = cy2._sites.sub1.example.com
debug_level = 7
id_provider = ad
access_provider = ad
ldap_id_mapping = false
I join computer to example.com or to sub1.example.com:
adcli join example.com -U my_user(a)EXAMPLE.COM
or
adcli join sub1.example.com -U my_user(a)EXAMPLE.COM
as I would do with an ordinary windows workstation.
And for AD, I use the posix attributes (and that may be the way...) so if a
UID or GID exists in both domains, I happen to find wrong group names, etc.
I hope my questions are clear enough ! :-) What am I doing wrong ? What are
the recommended settings for that situation ?
Thanks,
Jeremy

With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter
SMS Token: prompt and I can then put the
tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never
changes the prompt to Enter SMS Token: and ssh fails badly.
At this second Password: prompt I tried with just tokencode (at 18:45:34 in
log below) or PIN and tokencode (at 18:47:55). Neither let
me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing
to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let
authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let
you update it. With simple pam.d/sshd and auth sufficient pam_securid.so
that works very well as well.
I have sssd.conf setup like this
auth_server = proxy
proxy_target_pam = securid
And in pam.d/securid file
auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where
I tried with PIN at first Password: prompt and then TokenCode at second
Password: prompt at 18:45:34 and failed to login
And
I tried with PIN at first Password: prompt and then PIN and TokenCode at
second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine
. I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Hi,
I have repeated issues with users losing their usernames (only being mapped to their uid / in the terminal it says "i have no name!@host"). It doesn't happen daily, but it is extremely frustrating because they are running scientific pipelines that take a few hours to several days to complete, and as soon as their name is lost, it fails and the pipeline has to start from scratch.
My setup is as follows.
Client: Ubuntu 16.04 (Note that my university has licenses for Redhat, I could upgrade to it if it will 100% fix my problem. I simply use Ubuntu since a lot of scientific packages are already tailored for it, and it saves me weeks of work).
Server: Windows AD, with a Windows NFS file server.
What i don't understand is that if a user is successfully able to authenticate, why isn't the account cached, and used for their entire session? How can a name be lost if it is cached. I have the following in my sssd.conf:
cache_credentials = True
krb5_store_password_if_offline = True
I have had this issue for quite awhile, so upon a previous sssd users suggestion, i disabled reverse DNS and it seemed to make this occur less often, but as far as I can tell my DNS is setup properly. I can do a `nslookup <host>` and get the proper ip address, and vice versa.
Any help would be greatly appreciated!
Thomas

HI!
Has anything changed with building the man pages?
I'm asking because I now get formatting markup in the output of man (see
below).
Ciao, Michael.
SSSD-LDAP(5)
File Formats and Conventions
SSSD-LDAP(5)
.SH "NAME" sssd-ldap - SSSD LDAP provider
.SH "DESCRIPTION"
.PP This manual page describes the configuration of LDAP domains
for sssd(8). Refer to the “FILE FORMAT” section of the sssd.conf(5)
manual page for detailed syntax information.
.PP You can configure SSSD to use more than one LDAP domain.

Dear SSSD Users,
I have a question regarding the renewal of Kerberos tickets within a
Samba AD. All servers and clients are running Ubuntu 16.04. We have a
lot of Windows clients too; therefore we're using Samba. First of all,
I'll summarize our setup:
- One server acts as the Samba AD Host (and Kerberos (integrated in
Samba) principal)
- One server acts as a file server; all directories (the users' home
directories as well) are exported via kerberized NFS
- The clients mount the directories; login auth is realized using sssd
(with id_provider = ad, auth_provider = ad and access_provider = ad)
When a user logs in at a client, he gets a Kerberos ticket and is
therefore granted access to his home directory. If he locks the screen
and logs in again, the ticket is renewed. However, if the user keeps the
client locked for a time greater than the ticket lifetime, the ticket
expires and the user is not able to write to his home directory any
more. That's a problem if the user is, for example, running a process
which takes a long time (in our case mostly simulations which are
usually run overnight). The same things happens if a user connects to a
client via ssh. Then, the ticket is never renewed automatically.
Is it somehow possible to configure that sssd renews the krb5 ticket if
the user has active processes running?
Regards
Michael